SNMP is one of the often overlooked services when pentesting networks. We generally focus on well-known services such as web or database servers. However, there is plenty of additional information available if we start considering SNMP when auditing networks.

Devices suitable for SNMP pentesting: Juniper SSG5

SNMP is present in most modern network devices


SNMP stands for Simple Network Management Protocol. It is generally used by network monitoring applications to read and write network state variables (state of the interface, no. of sent packets etc.). Types of managed devices include servers, workstations and network devices.

SNMP services run by default on the 161 UDP port. And as Shodan shows, there is quite a bunch of SNMP devices available publicly on the Internet.

If we add SNMP pentesting to our pentest, we can gather important information about the network, such as topology, system users…

SNMP pentesting tools

SNMP communications are generally protected by using an authentication string called community string. There are two types of community strings, a read-only community string that gives us access to the general variables of the network and a read-write one, that also allows us to set specific variables.

Therefore, knowing these community strings is vital to get access to the network information and it is the first step performed on SNMP pentesting once the devices have been identified. The default values of these strings are public and private, and you’d be surprised how many times remain unchanged. However, there are tools that aim to brute-force them to access the relevant information managed, in case it has been changed. There are many tools that carry this and retrieval tasks, some of them based on the popular Nmap and Metasploit frameworks.


We talked about Nmap in our previous post about port scanning in industrial networks. This popular tool has has a full built-in SNMP library that many NSE scripts directed to SNMP pentesting, for example, guessing community strings or extract information from different sources (especially from Windows systems):

NSE Script Purpose
snmp-brute Attempts to find an SNMP community string by brute force guessing
snmp-hh3c-logins Attempts to enumerate Huawei / HP/H3C Locally Defined Users
snmp-info Extracts basic information from an SNMPv3 GET request
snmp-interfaces Attempts to enumerate network interfaces through SNMP
snmp-ios-config Attempts to download Cisco router IOS configuration files
snmp-netstat Attempts to query SNMP for a netstat like output
snmp-processes Attempts to enumerate running processes through SNMP
snmp-sysdescr Attempts to extract system information from an SNMP version 1 service
snmp-win32-services Attempts to enumerate Windows services through SNMP
snmp-win32-shares Attempts to enumerate Windows Shares through SNMP.
snmp-win32-software Attempts to enumerate installed software through SNMP.
snmp-win32-users Attempts to enumerate Windows user accounts through SNMP



The Metasploit Framework is another popular tool, designed to exploit different, usually remote machines. In this case, it also features a number of tools directed to ease SNMP pentesting.

Cisc0wn is a brute-force cracker, built on top of Metasploit (but not integrated in it), that aims to get community strings, similar to snmp-brute.

As Nmap, Metasploit has some auxiliary modules that aid us to easily extract information from SNMP enabled devices:

Auxiliary module Purpose
snmp_enum Performs detailed enumeration of a host or range of hosts via SNMP
snmp_enumshares Queries a range of hosts via SNMP to determine any available shares.
snmp_enumusers Queries a range of hosts via SNMP and gathers a list of usernames on the remote system
snmp_login scans a range of IP addresses to determine the community string for SNMP-enabled devices

As we can see, there is quite a wide range of tools that enable brute-forcing SNMP credentials and gather network information rather easily. Therefore, it is necessary to secure SNMP communications by disabling it on devices that do not need it, or if it is necessary to use SNMP, use  strong passphrases. Moreover, it is better to use version 3 of SNMP, as it is more secure than the previous ones, featuring traffic authentication and encryption.

Finally, I leave you a video where the usage of some of the SNMP pentesting tools above mentioned is shown, in an almost real environment: